Public and private sector organizations have experienced numerous major incidents related to cybersecurity over the past few years. Indeed, many experts claim it is just a matter of time before everyone experiences a data breach or significant cyber event such as a widespread ransomware infection.

So how can the public sector prepare for cybersecurity events that have the potential to disrupt their critical operations? Governments are known for their actions using Federal Emergency Management Agency (FEMA) response and recovery guidance for natural disaster situations such as in Hurricane Harvey, but cybersecurity incidents are certainly different in many respects. How should organizations prepare now to recover when events happen?

In many state and local governments this topic has been on the front burner for several years, leading the National Association of State CIOs (NASCIO) to create a Cybersecurity Disruption Response Planning Guide last year, that includes best practices from many jurisdictions.

States like Michigan are now on their second version of their cyber disruption response plans. The Michigan actions include involvement from public and private entities that are involved in protecting critical infrastructure at the local, state and national levels. I covered more details on this state-specific cyber planning efforts several years ago.

Michigan even brings in their Cyber Civilian Corp if the Governor declares a cyber emergency, and these mechanisms are now written into law. However, the training, planning and preparation for these events come well before any cyber emergency. States like Michigan even hold annual cyber tabletop exercises to practice for potential disruption scenarios.

Federal Government Cyber Event Planning

But what about national guidance on planning for cyber incidents for the federal government and others? Most public and private sector organizations look to the National Institute of Standards & Technology (NIST) to do the required research to provide guidance and direction, in the same way that they developed, released and updated the Cybersecurity Framework.

Fortunately, I have some good news for you.

Back in mid-October, I sat on the ransomware panel at CyberMaryland in Baltimore, and I sat next to Michael (Mike) Bartock on the panel from NIST.

Mr. Bartock is an IT specialist in the Computer Security Division in the Information Technology Laboratory at the National Institute of Standards and Technology. He performs applied cybersecurity research specializing in hardware roots of trust to enforce policy-based cloud workload migration, LTE backhaul protection, and derived PIV credentials. His work focuses on collaborating with industry partners to build and implement proof of concept reference architectures. He has experience in managing virtualized environment, cloud computing, software development, cryptography, derived PIV credentials, and LTE security for public safety networks. He received his Bachelor's in Mathematics from the University of Maryland.

Many of Mike’s answers on ransomware and other cyber incidents referenced NIST SP 800-184, which is a guide that came out in December 2016 regarding cybersecurity event response and recovery. The title of the document is: “Guide for Cybersecurity Event Recovery.”

“The purpose of this document is to support organizations in a technology-neutral way in improving their cyber event recovery plans, processes, and procedures, with the goal of resuming normal operations more quickly. This document extends, and does not replace, existing federal guidelines regarding incident response by providing actionable information specifically on preparing for cyber event recovery and achieving continuous improvement of recovery capabilities. It points readers to existing guidance for recovery of information technology.”

Here’s how the NIST introduces this cybersecurity topic at their website: “Defense! Defense!” may be the rallying cry from cybersecurity teams working to thwart cybersecurity attacks, but perhaps they should be shouting “Recover! Recover!” instead.

The helpful NIST Guide offers sections including an executive summary, purpose and scope, planning for cyber event recovery, continuous improvement, recovery metrics, building a playbook, some example scenarios and several appendix checklists for your playbooks – including references. Note: You can see the outline for the table of contents at the end of this blog.

I was very impressed with Mike’s panel answers, so I asked him if he would be willing to be interviewed for my blog. He agreed, so I offer that exclusive interview to you below.

What actions do organizations need to take prepare for cybersecurity incidents The National Institute of Standards Technology NIST has answers in Special Publication SP 800-184 entitled “Guide for Cybersecurity Event Recovery.” Here’s an exclusive interview with one of the authors